People Security has a rich and customizable curriculum of security awareness and software security courses that are designed to help build better software through real-world examples, hands-on labs, video, and striking anecdotes. We do this through a mix of our next generation e-learning (Experience Learning), hands-on live instructor led courses, and security mentoring. All of our courses are customizable to combine both industry security best practices and organization security policies.

Experience Learning is designed for organizations that need flexibility in the delivery of learning experiences. We've take a unique and personal approach to educating the enterprise. Learning is self-paced, individualized, example rich, and lab intensive. Each elearning module has customizable assessment mechanisms to allow you to track learning and progress across the enterprise and get a global view of security readiness.
View Demo

People Security prides itself on creating courses that lead to real behavior change. Our classes are example rich and most are hands-on. Our courses follow the "teach, show, do, assess" approach where students first learn a concept, the concept is then illustratedthrough real-world examples, the student then walks through applying that knowledge in a lab, and finally the student is assessed on the learning. Click here to download our full curriculum.

Security mentoring is both a people and process change. Experts from People Security work with the business to help them define software security policies based on compliance standards, internal company policies, vertical best practices, and risk profile. The program helps define policies for outsourcing, managing 3rd party components when building software solutions, and gives assurance that projects will be delivered with both high quality and security.

Curriculum

Designing software securely means ensuring that security features are correct and that functional features are secure. Our courses help you do both by teaching the principles of secure design like least privilege, defense in depth, compartmentalization and more to help you design a system that will withstand attack and minimize business risk.

Software Security Architecture

2 days instructor-led

Audience: architects, designers, IT managers, developers
In this course we arm designers and architects with the concepts, examples and exercises to bake security into their software design processes. The bulk of the course examines the 25 principles of designing applications securely. It takes an example-rich tour through principles including least privilege, compartmentalization, designing for compliance, and creating secure error handling routines. We'll then explore technologies and components that you can plug into your application. The course also goes through the steps to evaluate 3rd party components for security before you make them part of your solution.

Developing software securely is all about awareness of security flaws, what they look like, why they are exploitable, and techniques to fix them systematically. Our secure coding courses focus on coding defensively to ensure that code is both correct and more secure while balancing performance, usability and maintainability goals.

Secure Coding Fundamentals

2 day in person, 14 hours eLearning

Audience: Developers, architects, development managers
This course gives developers practical techniques to prevent and fix software security vulnerabilities. It explores how and why software fails with respect to security and provides an example-rich tour through the most severe classes of software vulnerabilities including techniques to avoid and fix them. The elearning course can be viewed under two personas: Java and C/C++. The persona choice changes the code examples, labs, and modules so that both general secure coding concepts along with language specific incidents are covered. To view a demo of the course click here.

Awareness of security threats, attacker techniques and policies is the most powerful defense against business risks that come from software security vulnerabilities. Our awareness courses help arm executives, managers, architects and technical staff with knowledge to minimize IT risk.

Executive application security overview

1 hour eLearning

Audience: executives, managers, and directors
This course presents an overview of software security risks. It focuses on business impact of vulnerabilities and offers a brief overview of why security is critical in the development of software and in contractual agreements with outsourcers.

Application Security Awareness

3 hour eLearning

Audience: executives, managers, and directors
This course focuses on the business context of software security along with the evolving threat landscape: compliance, breach notification laws, changing attacker motives, and the security implications of new technologies. The course then takes the audience through real-world examples of software security vulnerabilities and talks about their impact and business context. Next attendees will get an overview of these topics: security in the software development lifecycle, the security activities that can be infused into the process, how to measure their effectiveness, and the methodologies, techniques, and tools available to implement them. Finally, the course looks at some of the major drivers of security moving forward.

Testing for security vulnerabilities is very different from traditional functional testing. Security vulnerabilities often manifest as side-effects of normal application functionality and sometimes don't violate functional requirements. Our courses train testers to focus on abuse cases and then apply offensive testing techniques to bring vulnerabilities to the surface.

Software Security Testing Fundamentals

2 days instructor-led, 13 hours eLearning

Audience: Security testers
Security testing is very different from functional testing. Functional testers focus on requirements and use; security testers need to consider behavior constraints and abuse. This class focuses on practical security techniques that bring security vulnerabilities to the surface during testing. Testers will learn how to do software security audits, how to test robustness. This class is very detailed and covers techniques for finding both security flaws as well as business logic issues that can put your application at risk. The class also covers techniques for threat modeling, fuzz testing, risk coverage, and triage.

Deploying software securely means assessing the risk that it brings into the enterprise and putting compensating controls in place to manage that risk. Our courses in this category are designed to help integrators assess the security of software, create operational threat models, and apply principles like compartmentalization, redundancy, and patchability.

Creating a secure deployment guide

1 day instructor-led

Audience: Architects, solution integrators
Great software can be made insecure through poor deployment. Customers, operations groups and users need to be able to use software in a way that minimizes risk. This course focuses on helping you create a secure deployment guide for your software. We focus on the diversity of deployment environments, patching, handling conflicts between demands of the environment and software

Requirements for software security come in two flavors: positive and negative. Positive security requirements define what a system should do. Negative requirements define what a system should not do. Our courses arm you with the skills to navigate compliance, policies, risk and need to gather both positive and negative requirements.

Gathering Security Requirements

1 day instructor-led

Audience: Planners, architects, designers, software business managers, enterprise risk
This course focuses on the importance of applying security design principles to minimize vulnerabilities as well as implementing positive security controls and policies such as access control, privacy, etc. These concerns can and should be addressed early in the life cycle by syncing business needs to security requirements. The course specifically addresses privacy, security design principles (least privilege, compartmentalization, etc.), compliance in software (Sarbanes Oxley, GLBA, PCI DSS, etc.), and disclosure issues.